The bug was caused by plainText serializing secured (instead of original) text.
Fixed the bug by adding new TextIterator behavior that serializes the original text
and using it in ReplacementFragment::ReplacementFragment.

If we're filling a rect or drawing an image, and it covers the entire canvas, we don't
need to worry about clearing outside the area updated by the operation if we're in
a composite mode that requires this (such as source-in, copy, etc.). In this case we
can take the simple path through the code and save a clear (for copy) or a temporary
image buffer (for the other modes).

No new tests - optimization, behaviour is unchanged and covered by existing tests.

To minimize the risk to LTR users, we enable this feature first to chromium win
by command line flag. This and corresponding changset in chromium
(​http://codereview.chromium.org/8400078/)
should be removed after this feature is enabled without command line flag.

The work flow is:

(chromium) adds command line flag --enable-visual-word-movement,
pass it to WebCore::Settings through WebPreferences.

At some points we didn't have any guarantee that a favicon has been loaded, so now
it stops to wait for the IconChanged signal. It also had some file paths in wrong format,
making some files to not be resolved and comparing meaningless bitmaps.

I removed port.factory.get, get_all, and all_port_names -- long-since deprecated
free functions in factory.py. To remove these required fixing all callsites
to use MockHost, Host, or PortFactory where appropriate. After this change
we're only left with a handfull of places where we inappropraitely use a
real Executive, FileSystem or User object during unittesting.

Scripts/webkitpy/common/checkout/baselineoptimizer_unittest.py:

These PortFactory overrides were from an earlier edition of my previous patch
in the end, I removed MockPortFactory so all tests ended up with this same
real PortFactory() with a MockHost. This was simply redundent code.

Scripts/webkitpy/layout_tests/controllers/manager_unittest.py:

Use MockHost to get a mocked-out PortFactory.

Scripts/webkitpy/layout_tests/controllers/manager_worker_broker.py:

This code has no access to a Host object, so we just use a default PortFactory
for now. This will still incorrectly create real Executive/FileSystem objects
durring unittesting, which is wrong. :(

This unittest was wrong. It was trying to pass the tool object, but failing to pass
the arguments in the right order. Fixing that made it use a MockFileSystem
(like it had been trying to), which then required us to actually populate
that MockFileSystem with fake expectation files (instead of using the ones on the real disk).

(WebKit::PluginControllerProxy::paint):
Don't translate the graphics context when the plug-in doesn't want window relative coordinates.
This also fixed a bug I introduced in my previous commit where we'd always pass the dirty rect in
plug-in coordinates even if the plug-in wants window relative coordinates.

IDBObjectStore.delete() was incorrectly firing an error if there
was no record to remove. Match the spec, and return true/false
as success values instead. Bring JSC binding implementation of
SerializedScriptValue more in line with V8 version for methods
called from IDB code.

There's been some discussion in the HTML working group about adding an
allow-popups directive to the iframe sandbox. Microsoft has added it
to IE10 platform preview and is fairly adamant about this feature
because it's needed by one or their products that's planning to use
iframe sandbox. Hixie says he'll add it to the spec once we implement
it, so here's our implementation. (See discussion in the W3C linked in
the bug for more details.)

This patch lands most of the infrastructure for this feature, but it
doesn't actually enable the feature. I'll enable it in a follow-up
patch.

This change makes it possible to change the backing store used by DRT
from Tiled Backing Store (TBS) to Single Backing Store (SBS) by
setting the environment variable DRT_USE_SINGLE_BACKING_STORE to 1.

No new tests; these classes will be used and tested by the MediaController feature.

Adds a abstract Clock class and two concrete, platform-specific subclasses.

Clock provides a basic interface for starting, stopping, and querying a generic timeline.
PlatformClockCA implements this interface using a CoreAudio CAClock object, which uses
the default audio device's hardware clock as a timing source. PlatformClockPOSIX
implements this interface using gettimeofday() as its timing source.

Cell recalculation is very expensive and should only be called when the section's structure
changed in a way that requires a safe update to its structure (like removing a row as our
column split may not be appropriate anymore).

The current code would abuse cell recalculation to actually reset the logical height on the
RowStruct. This change makes it do the right thing.

rendering/RenderTableCell.h:

rendering/RenderTableRow.h:

Removed styleWillChange override as it was unneeded.

rendering/RenderTableCell.cpp:

(WebCore::RenderTableCell::styleDidChange):

rendering/RenderTableRow.cpp:

(WebCore::RenderTableRow::styleDidChange):
Move the code from styleWillChange to styleDidChange.

rendering/RenderTableSection.cpp:

(WebCore::RenderTableSection::rowLogicalHeightChanged):
This function just reset the height on the |RowStruct| which is the
only part of recalcCells that we would need.

(WebCore::RenderTableSection::rowIndexForRenderer):
Added this function to find out which index a column has (strangely
RenderTableRow does not have this information).

This patch also fixes ​https://bugs.webkit.org/show_bug.cgi?id=70555
It was decided that fixed layout mode might need to be disabled for some content,
and so this change enables the embedder to decide whether to enable fixed layout on
navigation.

(browserWindowSetStatusText): Set status text and show/hide the
status label.
(resetStatusText): Reset status text when history menu is hidden.
(browserWindowHistoryItemSelected): Show url of currently selected
history item.
(browserWindowCreateBackForwardMenu): Connect to hide signal of
menu to reset the status text.
(browserWindowConstructed): Use GtkOverlay if available to show
status text.

(browserWindowHistoryItemActivated): Go to selected back formard
list item using webkit_web_view_go_to_back_forward_list_item()
(browserWindowCreateBackForwardMenu): Create a GtkMenu for the
given GList of WebKitBackForwardListItems.
(browserWindowUpdateNavigationActions): Enable/disable back and
forward buttons depending on whether it's possible to go
back/forward. Create a menu for back and forward toolbar buttons.
(backForwadlistChanged): Call browserWindowUpdateNavigationActions().
(browserWindowConstructed): Connect to WebKitBackForwardList
changed signal.

(resetEntryProgress): Reset the entry progress after a while when
load has been completed.
(webViewLoadProgressChanged): Update location entry progress.
(browserWindowConstructed): Connect to WebView
notify::estimated-load-progress signal.

Use the GTK+ API instead to add minimum functionality. The other
features will be ported to GTK+ API in following patches.

MiniBrowser/gtk/BrowserWindow.c:

(activateUriEntryCallback): Use webkit_web_view_load_uri().
(goBackCallback): Use webkit_web_view_go_back().
(goForwardCallback): Use webkit_web_view_go_forward().
(webViewURIChanged): Update location entry with current uri using
webkit_web_view_get_uri().
(browserWindowFinalize):
(browserWindowGetProperty):
(browserWindowSetProperty):
(browser_window_init):
(browserWindowConstructed): Connect to notify::uri signal of
WebView to be notified when the URI changes.
(browser_window_class_init):
(browser_window_new): Use WebKitWebView.
(browser_window_get_view): Use WebKitWebView

We implement our WkContextDownloadClient and the needed callbacks.
We also add APIs by exposing QWebDownloadItem. Objects from this type
have their ownership handled by QDesktopWebView and will be created or
destroyed as needed. Classes implementing ViewInterface (QDesktopWebViewPrivate
and TouchViewInterface) will receive a signal (downloadRequested) with a pointer
to the recently created QWebDownloadItem. With that they can connect the proper
signals and slots, set the download destination path and then call start().
Objects of this type will provide the progress of a download, a slot to cancel it,
and signals for getting finished or failure status.
QWebDownloadItem was also exposed in QML.
Qt needed an asynchronous way for UIProcess to return a destination path to WebProcess,
therefore the startTransfer API was added to WebKit2's Download handlers.

Shared/qt/WebCoreArgumentCodersQt.cpp:

(CoreIPC::::encode):
(CoreIPC::::decode):
Add encoding and decoding of suggestedFilename for ResourceResponse.

(WebKit::WebContext::download):
Using WebPageProxy::handleDownloadRequest to bootstrap a download through PageClient.

UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::receivedPolicyDecision):
Using handleDownloadRequest() to bootstrap a download through PageClient.
(WebKit::WebPageProxy::handleDownloadRequest): Calls PageClient::handleDownloadRequest().

Bootstrap our WKContextDownloadClient and set its callbacks.
This entity will also handle all downloads and keep a map of them.
It will be kept alive together with the WebContext as a static member
of QtWebPageProxy, so we can keep it across several WebPages and, therefore,
WebViews.

From now on it will keep a static QtDownloadManager to live together
with the default WebContext. It implements PageClient::handleDownloadRequest.
QtWebPageProxy::didReceiveDownloadResponse will emit the view's signal downloadRequested.

UIProcess/qt/QtTouchViewInterface.h:

(WebKit::QtTouchViewInterface::downloadRequested):

UIProcess/qt/QtViewInterface.h:

UIProcess/qt/qweberror.cpp:

(QWebError::description):

UIProcess/qt/qweberror.h:

(QWebError::errorCodeAsDownloadError):
Add Download error handling to QWebError and a new API
to retrieve the error description from the original ResourceError.
Also, it now has QWebDownloadItem::DownloadError errorCodeAsDownloadError()
that returns the error code as a DownloadError.

(WebKit::QtFileDownloader::init): start() was renamed to init().
(WebKit::QtFileDownloader::determineFilename):
Calling onReadyRead() here was unnecessary and it was triggering the overall
download process even before DownloadManager finished startDownload(). This
was leading to a DownloadManager with an empty list of downloads.
(WebKit::QtFileDownloader::startTransfer): decidedDestination() became startTransfer().
(WebKit::QtFileDownloader::abortDownloadWritingAndEmitError):
(WebKit::QtFileDownloader::handleDownloadResponse):
(WebKit::QtFileDownloader::onReadyRead):
(WebKit::QtFileDownloader::onFinished):
(WebKit::QtFileDownloader::cancel):

The IndexedDB spec says that cursors should be recycled when calling
continue(). Let the IDBRequest keep track of which cursor to return
upon success, and have the cursor use a new callback:
onSuccessWithContinuation() to signal that the continue was successful.

When we start using the new callback, the
storage/indexeddb/cursor-inconsistency.html layout test will start
passing.

Ensure AC is turned off for the desktop view before we launch the process.
This avoids "accidential" enterAc/exitAc calls that cause failing assertions
because we don't really support AC in this setup.

The touch side works the same way, i.e. enable the preference before calling
init().

fast/events/constructors/progress-event-constructor.html was failing
because of the wrong implementation of conversion from an ECMAScript value
to an IDL unsigned long long value (Spec: ​http://www.w3.org/TR/WebIDL/#es-unsigned-long-long).
In particular, the calculation of doubleValue % 2{64} was wrong.
This patch implemented it correctly in doubleToInteger() in wtf/MathExtras.h.

wtf/MathExtras.h:

(doubleToInteger): Implemented the spec correctly.

Source/WebCore:

fast/events/constructors/progress-event-constructor.html was failing
because of the wrong implementation of conversion from an ECMAScript value
to an IDL unsigned long long value (Spec: ​http://www.w3.org/TR/WebIDL/#es-unsigned-long-long).
In particular, the calculation of doubleValue % 2{64} was wrong.
This patch implemented it correctly in doubleToInteger() in wtf/MathExtras.h.

bindings/js/JSDictionary.cpp:

(WebCore::JSDictionary::convertValue): Uses doubleToInteger().

bindings/v8/OptionsObject.cpp:

(WebCore::OptionsObject::getKeyValue): Ditto.

LayoutTests:

Enabled progress-event-constructor.html on Chromium-Mac.

fast/events/constructors/progress-event-constructor-expected.txt:

fast/events/constructors/progress-event-constructor.html: The change from "12345678901234567168" to "12345678901234567890" is not related to this patch. Just to fix typo. The reason for whether "12345678901234567168" or "12345678901234567890" does not matter is that both values are toStringed to the same value "12345678901234567000".

GtkLauncher2 is the GtkLauncher code compiled with webkit2. This
made sense when we wanted to implement the exactly same wk1 API
for wk2. Now the code would require an ifdef for most the api, so
it's better to remove GtkLauncher2 and port MiniBrowser to the new
GTK+ API.

This makes inlined arguments retrieval use some of the same machinery as
OSR to determine where from, and how, to retrieve a value that the DFG
might have somehow squirreled away while the old JIT would put it in its
obvious location, using an obvious format.

To that end, previously DFG-internal notions such as DataFormat,
VirtualRegister, and ValueRecovery are now in bytecode/ since they are
stored as part of InlineCallFrames.

It was somewhat unclear how CSP should treat plugins that lacked a URL
because most of the CSP rules are URL-based. At TPAC, we decided to
treat "empty" URLs as if there were the URL of the document. That
means you can use plugins with no URL if you've included 'self' in
object-src, but you can also block them by using 'none' as your
object-src.

This entire change is splitting mocktool.py into separate _mock.py files
and placing them next to their real implementations.

I also deleted MockPortFactory (since it was wrong) and was just hiding
the fact that the "skipped-ports" command was broken (and has been for a long time).
So I made MockHost use a real PortFactory (passed a MockHost) and changed
the skipped-ports implementation to use modern PortFactory methods.

There's been some discussion in the HTML working group about adding an
allow-popups directive to the iframe sandbox. Microsoft has added it
to IE10 platform preview and is fairly adamant about this feature
because it's needed by one or their products that's planning to use
iframe sandbox. Hixie says he'll add it to the spec once we implement
it, so here's our implementation. (See discussion in the W3C linked in
the bug for more details.)

(JSC::PropertyDescriptor::setDescriptor):
The attributes returned from Structure::get do not include Getter or Setter, so
instead check if the value is a GetterSetter like we do elsewhere. If it is, update
the descriptor's attributes accordingly.

On X86 we sometimes use FASTCALL convention functions, for example the
cti functions, and we may need the pointers to such functions, e.g.,
in current DFG register file check and arity check, though long term
we may avoid such usage of cti calls in DFG.

Ryosuke Niwa, in ​http://webkit.org/b/70862, asked me to replace usages
of String with StringImpl. I've done more than what he asked in this
patch, the biggest change being that CharacterData now holds a String
instead of a RefPtr<StringImpl>.

(top level): Parse options, check that the working tree is clean, then run in either
interactive or non-interactive mode as appropriate.
(interactive): Write out a temp file that contains each commit with "NOBODY" next to it and
open it in the user's editor. The user can replace "NOBODY" with reviewer names. When the
editor exits, we check out the commit just before the earliest one we're modifying. Then
for each commit, we check it out, update the reviewer, and amend the commit to contain the
new reviewer. Finally, we update the branch that was originally checked out to point to the
last amended commit.
(nonInteractive): Check out the commit to modify, write the current commit message to the
MERGE_MSG file so addReviewer will update it, add the reviewer to the ChangeLog(s), amend
the commit, and rebase the original branch on top of the amended commit. (usage): Print out
a usage message and exit.
(requireCleanWorkTree): Do the same steps git-rebase does to ensure that the working tree
and index are clean.
(fail): Print out the specified error message, if any, and return false. This function is
used as a return value in various error cases throughout the script.
(cherryPick): Cherry-pick the specified commit and return 1 if we succeeded.
(addReviewer): Add the specified reviewer to all the ChangeLogs modified in this commit, and
to .git/MERGE_MSG, which will be used as the commit message for the next commit.
(commit): Call git-commit and use .git/MERGE_MSG as the commit message.

(addReviewerToChangeLog):
(addReviewerToCommitMessage):
These just call through to addReviewerToFile.

(addReviewerToFile): Read in the file, replacing any "NOBODY" text with the reviewer name(s)
and replacing "Reviewed" with "Rubber-stamped" if specified. Write the resulting text to a
temp file, then move the temp file over the original file and stage it for the next commit.
(head): Returns the name of the currently-checked-out branch.
(isAncestor): Returns true if the first commit is an ancestor of the second.
(toCommit): Converts a commitish to a commit ID using git-rev-parse.
(changeLogsForCommit): Returns a list of all the ChangeLogs modified in the given commit.
(resetToCommit): Checks out the given commit, throwing away any local changes.
(writeCommitMessageToFile): Gets the commit message for the current commit and writes it to
the specified file.
(rebaseOntoHead): Rebases the specified branch onto HEAD.
(checkout): Checks out the given commit.
(getConfigValue): Reads the specified config variable from git-config.

If there is a mix of inline and block items, all the inline items were already getting wrapped
(see RenderBlock::addChildIgnoringAnonymousColumnBlocks). However, if there are only inline items,
we need to force them into an anonymous block.

There are still lots of bugs because we're trying to read style values from the anonymous block,
but this at least causes layout to be called on all the render objects.

(WebCore::DragController::dragEntered):
(WebCore::DragController::dragUpdated):
(WebCore::DragController::dragEnteredOrUpdated):
(WebCore::DragController::tryDocumentDrag): In addition to determining the
drag operation, DragSession is updated with data regarding whether the mouse
is over a file input, and the number of items that would be accepted based on
the mouse's location.

page/DragController.h:

page/DragSession.h: Added.

(WebCore::DragSession::DragSession): Keep track of current operation, whether
the mouse is over a file input element, and how many files would be accepted if
dropped.

platform/DragData.h: Added numberOfFiles()

platform/chromium/DragDataChromium.cpp:

(WebCore::DragData::numberOfFiles):

platform/efl/DragDataEfl.cpp:

(WebCore::DragData::numberOfFiles):

platform/gtk/DragDataGtk.cpp:

(WebCore::DragData::numberOfFiles):

platform/mac/DragDataMac.mm:

(WebCore::DragData::numberOfFiles):

platform/qt/DragDataQt.cpp:

(WebCore::DragData::numberOfFiles):

platform/win/DragDataWin.cpp:

(WebCore::DragData::numberOfFiles):

platform/wince/DragDataWinCE.cpp:

(WebCore::DragData::numberOfFiles):

platform/wx/DragDataWx.cpp:

(WebCore::DragData::numberOfFiles):

Source/WebKit/chromium:

src/WebViewImpl.cpp:

(WebKit::WebViewImpl::dragTargetDragEnterOrOver): The drag operation is contained
within the new DragSession struct. Minor refactor.

Calling the static version of factory.get() with proper mocking
requires passsing an explict filesystem, executive, etc.
So instead, we use a PortFactory instance and pass it a Host pointer.
I had to add a MockHost since we'd not needed a non-host tool before now.

BuiltInPDFPlugin doesn't have access to original ResourceResponse and has to re-create it
It doesn't seem to be possible to create an NSURLResponse with a non-null HTTP status code,
and NetscapePlugInStreamLoader becomes unhappy.

Firefox and Opera accepts any character inside a string except
newline and starting quote character. This behaviour matches to
the CSS 2.1 grammar: ​http://www.w3.org/TR/CSS2/grammar.html
WebKit should follow them.

Added a new method to return the label text for a file upload control that
allows multiple files. Needed to extend the RenderTheme function to pass down
a boolean representing whether multiple files are allowed in the file list.

Make sure that the view is properly focused, in order to get the
didBeginEditing DRT calls.

This requires activating the window (the call will result in a FocusIn
event to the window as well as setting QGuiApplication::focusWindow())
as well as enabling the focus on the view item. The signature of
setFocus has changed to take a boolean.

Adds a mechanism for the WebView to send messages to the JavaScript environment
of the web page. In the WebView we have a method postMessage() and a signal
messageReceived(), while in the web page we expose a navigator.qt object with a
postMessage() method and a onmessage property. The messages are objects that
follow the same structure as MessageEvents.

The feature is disabled by default, and can be enabled by setting
QWebPreferences::navigatorQtObjectEnabled property to true. Changes take effect
after the next load(). QML tests are included.

UIProcess/qt/ClientImpl.h:

UIProcess/qt/ClientImpl.cpp:

(setupContextInjectedBundleClient): Helper to register the injected bundle client.
(qt_wk_didReceiveMessageFromInjectedBundle): Decode and dispatch a message received
from the WebProcess to the WebPageProxy.

UIProcess/PageClient.h:

(WebKit::PageClient::didReceiveMessageFromNavigatorQtObject):

UIProcess/WebPageProxy.cpp:

(WebKit::WebPageProxy::didReceiveMessageFromNavigatorQtObject):

UIProcess/WebPageProxy.h:

Handle messages received from the navigator.qt object via the injected bundle. Called
from the ClientImpl.

The bug was caused by insertFragmentForTestRendering's always inserting a node for test rendering
into document's body.

Fixed the bug by inserting the node for test rendering into the root editable element. In addition,
remove the node before dispatching beforeTextInserted event to avoid event listeners, in particular
TextFieldInputType::handleBeforeTextInsertedEvent, from seeing the test node.

Remove the transparent background color from inline style declarations in the pasted content.
Also fixed a bug in removeStyleFromRulesAndContext that it removes properties in inline style
declarations even if those properties were overridden.

Touching the screen when a kinetic scrolling animation is running or
it is bouncing back because it was out of bounds, the animation is
immediately stopped and the content is immediately put into valid
bounds.

Touching the screen when the contents is bouncing back from a pinch
zoom which was out of bounds, we do not stop the animation, but
instead ignored the touch events while the animation lasts.

In the future we want to queue the events instead.

This also fixes some issues which was present before: As the bounce
back animation from pinch zoom centers the content using the contents
point which was in the center of the viewport, this animation could
not be used when stopping a pan animation, as it wouldn't position the
content at the place it was when the pan animation was interrupted.

Have CSSRule::cssText() redirect to the appropriate subclass based on type().
This is one of the last steps of devirtualizing CSSRule completely, which will
allow us to get rid of its vtable, and each instance's pointer thereto.

(WebKit::WebPageProxy::handleTouchEvent): Add support for m_shouldSendEventsSynchronously.

UIProcess/qt/QtDesktopWebPageProxy.cpp:

(QtDesktopWebPageProxy::handleEvent): Handle plain touch events in the desktop page proxy by
forwarding them appropriately. We will receive them from WTR through ::event, but we won't
receive them from QQuickCanvas (i.e. the user) because that doesn't uses ::event but only
dedicated fooEvent() handlers, of which we don't re-implement the touch version.
(QtDesktopWebPageProxy::handleTouchEvent): Forward touch events to WebPageProxy.

UIProcess/qt/QtDesktopWebPageProxy.h:

WebProcess/WebPage/WebPage.cpp:

(WebKit::WebPage::touchEventSyncForTesting): Add support for synchronous touch event testing,
similar to the way it's done for mouse events.

WebProcess/WebPage/WebPage.h: Ditto.

WebProcess/WebPage/WebPage.messages.in: Ditto.

Tools:

WebKitTestRunner/DerivedSources.pro: Build system foo to ensure the ENABLE_TOUCH_EVENTS

Some additional dirty areas caused by re-layout have ignored
since updateLayoutAndSytleIfNeedeRecursive is called after gathering dirty area to repaint.
So ewk_view_layout_if_needed_recursive is relocated before getting dirty areas.

(-[DOMHTMLSelectElement _activateItemAtIndex:]): Replaced setSelectedIndexByUser
call with a call to the renamed optionSelectedByUser, also removed one argument.
(-[DOMHTMLSelectElement _activateItemAtIndex:allowMultipleSelection:]): Ditto.

html/HTMLOptionElement.cpp:

(WebCore::HTMLOptionElement::setSelected): Replaced setSelectedIndex call with a
call to the new optionSelectionStateChanged function.
(WebCore::HTMLOptionElement::insertedIntoTree): Ditto.

html/HTMLSelectElement.cpp:

(WebCore::HTMLSelectElement::HTMLSelectElement): Updated since m_userDrivenChange
was renamed to m_isProcessingUserDrivenChange.
(WebCore::HTMLSelectElement::optionSelectedByUser): Removed deselect argument,
which was always true for all callers. Updated comment.
(WebCore::HTMLSelectElement::hasPlaceholderLabelOption): Updated comment.
(WebCore::HTMLSelectElement::setOption): Call the new optionSelectionStateChanged
function. The code used to explicitly ask the function it calls to deselect base
on the value of m_multiple, but that is no longer needed because the selectOption
function itself takes care of that check.
(WebCore::HTMLSelectElement::dispatchChangeEventForMenuList): Renamed this function.
Also updated for name change to m_isProcessingUserDrivenChange.
(WebCore::HTMLSelectElement::setSelectedIndex): Moved the formerly-inlined function
here from the header and changed it to call the renamed selectOption function.
(WebCore::HTMLSelectElement::optionSelectionStateChanged): Added this function.
It is used by callers that were previously using setSelectedIndex and passing
"false" for the deselect argument. It's better now that setSelectedIndex is now a
pure DOM setter function without the multiple purposes it had before. This function
now has the logic that handles the special handling when deselecting an option,
which used to be at the top of the next function.
(WebCore::HTMLSelectElement::selectOption): Renamed this from setSelectedIndex.
Replaced boolean arguments with flags. Removed code to handle the special case
when we deselect an option; that's now handled in the optionSelectionStateChanged
function. Added an assertion to replace a comment and updated for other renaming.
(WebCore::HTMLSelectElement::dispatchBlurEvent): Updated for name change.
(WebCore::HTMLSelectElement::platformHandleKeydownEvent): Ditto.
(WebCore::HTMLSelectElement::menuListDefaultEventHandler): Changed to call the
new selectOption function and also updated for other name changes.
(WebCore::HTMLSelectElement::typeAheadFind): Ditto.
(WebCore::HTMLSelectElement::accessKeySetSelectedIndex): Ditto.

html/HTMLSelectElement.h: Changed the setSelectedIndex to be a pure setter

function for the selectedIndex DOM property. Added a optionSelectedByUser function
for the other use of setSelectedIndex, but removed the always true "deselect"
argument from it. Added a optionSelectionStateChanged function for use in the
HTMLOptionElement implementation. Renamed menuListOnChange to
dispatchChangeEventForMenuList for clarity. Added a SelectOptionFlag and
SelectOptionFlags type for the arguments to the selectOption function, formerly
implemented as an overload of setSelectedIndex (and called setSelectedIndexInternal
before that). Renamed m_userDrivenChange to m_isProcessingUserDrivenChange.

rendering/RenderMenuList.cpp:

(WebCore::RenderMenuList::valueChanged): Replaced setSelectedIndexByUser
call with a call to the renamed optionSelectedByUser, also removed one argument.

Source/WebKit/chromium:

tests/PopupMenuTest.cpp:

(WebKit::TestPopupMenuClient::valueChanged): Replaced setSelectedIndexByUser
call with a call to the renamed optionSelectedByUser, also removed one argument.

[NSURL _drt_descriptionSuitableForTestResult] was generating a NSRangeException due to the call to
[NSString substringFromIndex:] with an index out of the string range.

The source of this path is the test-loading-archive-subresource-null-mimetype.html which load a subresource
from the root of the disk.
The problem was hidden because the exception are catched when calling the delegate.

This patch changes _drt_descriptionSuitableForTestResult to return absolute string if the resource is not
in a subdirectory of the main frame.

DumpRenderTree/mac/ResourceLoadDelegate.mm:

(-[NSURL _drt_descriptionSuitableForTestResult]):

LayoutTests:

Update the test results following the fix of _drt_descriptionSuitableForTestResult.

(WebCore::RenderTableCell::setCol):
(WebCore::RenderTableCell::setRow):
Added overflow checks to the 2 previous methods. We
CRASH even in release to avoid potential badness
(the limit is currently above 2 billions rows or columns
which is high enough to prevent it being hit by accident)

Source/WebKit/chromium:

WebKit.gypi:

tests/RenderTableCellTest.cpp: Added.

Added some tests for the column/row index limit
that was implemented in RenderTableCell.

Source/WebCore: [chromium] As of r98380, ThreadableLoaderClients are having their
ResourceRequest::TargetType clobbered. They set their own
type, but CachedResourceRequest (through which they now flow)
sets a TargetType without bothering to see if one has already been set.​https://bugs.webkit.org/show_bug.cgi?id=70972

Reviewed by Darin Fisher.

No new tests, this is chromium-specific and only affects
behavior seen in full builds of chromium.

Call SVGResourcesCache::clientLayoutChanged whenever the element or its children need layout. Previously,
invalidation was only performed if the element itself needed layout; now we also invalidate if any child
needs layout and there is a filter applied, as the cached filter result can depend on the layout of children.

Test: svg/filters/invalidate-on-child-layout.svg

rendering/svg/RenderSVGContainer.cpp:

(WebCore::RenderSVGContainer::layout):

rendering/svg/SVGResourcesCache.cpp:

(WebCore::SVGResourcesCache::clientLayoutChanged):

Add a test that ensures that changing the layout of a child of a filtered element invalidates the filter.

Do not invalidate the cached time when receiving a mediaPlayerRateChanged notification
while paused. AVFoundation in particular can return different results for currentTime()
when asked after being paused, breaking layout tests.

html/HTMLMediaElement.cpp:

(WebCore::HTMLMediaElement::mediaPlayerRateChanged):

LayoutTests:

Some media engines will cause multiple timeupdate events after pausing; so deregister
the timeupdate event listener after receiving the first one.

Calling error without ending the request set up the CachedResourceRequest so that it could
actually send out two notifyFinished() events. This probably was the root cause of
lots of crashing instability; I know from crbug.com/75604 that this bug was causing lots
of crashes in ScriptRunner/ScriptElement for instance.

The fix is easy: just properly end the request instead of just calling error, and we won't
re-notify.

The refactoring in r98738 changed the way we handle the size to avoid throwing off
the memory. The new logic would end up never shrinking the grid's size (prior to that
we would grow to the appropriate size and throw the excess capacity with shrinkToFit).
Not shrinking would mean that we would potentially read RowStruct with the default values
(for instance no |rowRenderer|).

addCell will properly grow the grid as needed to accomodate the rows and the protruding
cells with a rowspan so we introduce a variable to keep track of the size needed. At the
end, we just shrink it to this size.

rendering/RenderTableSection.cpp:

(WebCore::RenderTableSection::recalcCells):
Introduce a variable to keep the grid size and shrink to that size to match the old code.

LayoutTests:

Those tests checks that an empty section would not lead to reading
RowStruct without a |rowRenderer| which would crash.

Move methods from QTouchWebPage to QTouchWebView (through the base class).

We use the same convenience macros as Qt internally by hiding QObject::d_ptr
with QBaseWebView::d_ptr instead of inheriting QBaseWebViewPrivate from
QQuickItemPrivate.
Also, QBaseWebView currently inherits from QQuickPaintedItem since QDesktopWebView
needs it, but should be changed as soon as this is not required anymore.

(WebKit::PluginProxy::paint):
Since the dirty rect passed to paint is now in plug-in coordinates, there's no need to convert it
from window coordinates to plug-in coordinates before passing it to BackingStore::paint.

(WebKit::PluginProxy::deprecatedGeometryDidChange):
Assert that we're not calling this anymore.

Create a builtin bundle for Qt port: an InjectedBundle which the code is together
with the Qt's web process instead of being in a different library. This gives us
access to many hooks at web process (using WKBundle* functions of C API) without
adding any maintenance burden to cross-port code.

Since we also use a InjectedBundle in the WebKitTestRunner, we only install our
builtin bundle if there's no other installed. This is fine because WTR won't use
the extra runtime features that we plan to provide with the builtin bundle.

Added parallel tracing to the GC. This works by having local mark
stacks per thread, and a global shared one. Threads sometimes
donate cells from the mark stack to the global one if the heuristics
tell them that it's affordable to do so. Threads that have depleted
their local mark stacks try to steal some from the shared one.

Marking is now done using an atomic weak relaxed CAS (compare-and-swap).

This is a 23% speed-up on V8-splay when I use 4 marking threads,
leading to a 3.5% speed-up on V8.

It also appears that this reduces GC pause times on real websites by
more than half.

Return false in FrameView::isOnActivePage() if m_frame->document() is
null. Other calls to m_frame->document() in FrameView also have a null
check. The frame can have a null document if the FrameLoader is loading
the initial empty document.

(RecentBuildsLoader.prototype.start): Relax a regex to gloss over differences in ORWT's vs.
NRWT's leaks-related output (i.e., "M total leaks found!" vs. "M total leaks found for a
total of N bytes!").

Value profiles now have an extra special slot not used by the old JIT's
profiling, which is reserved for OSR exits.

The DFG's OSR exit code now knows which register, node index, and value
profiling site was responsible for the (possibly flawed) information that
led to the OSR failure. This is somewhat opportunistic and imperfect;
if there's a lot of control flow between the value profiling site and the
OSR failure point, then this mechanism simply gives up. It also gives up
if the OSR failure is caused by either known deficiencies in the DFG
(like that we always assume that the index in a strict charCodeAt access
is within bounds) or where the OSR failure would be catalogues and
profiled through other means (like slow case counters).

This patch also adds the notion of a JSValueRegs, which is either a
single register in JSVALUE64 or a pair in JSVALUE32_64. We should
probably move the 32_64 DFG towards using this, since it often makes it
easier to share code between 64 and 32_64.

Also fixed a number of pathologies that this uncovered. op_method_check
didn't have a value profiling site on the slow path. GetById should not
always force OSR exit if it never executed in the old JIT; we may be
able to infer its type if it's a array or string length get. Finally,
these changes benefit from a slight tweak to optimization delay
heuristics (profile fullness is now 0.35 instead of 0.25).

3.8% speed-up on Kraken, mostly due to ~35% on both stanford-crypto-aes
and imaging-darkroom.

Fixed the bug by removing nested block elements in removeRedundantStylesAndKeepStyleSpanInline.

Tests: editing/pasteboard/contenteditable-pre-2.html

editing/pasteboard/contenteditable-pre.html

editing/ApplyStyleCommand.cpp:

editing/ReplaceSelectionCommand.cpp:

(WebCore::ReplaceSelectionCommand::removeRedundantStylesAndKeepStyleSpanInline): Remove block
elements if it's identical to its parent and there are no contents between the two. Also remove
contenteditable attribute from an element if the parent is already richly editable.
(WebCore::ReplaceSelectionCommand::doApply): Remove redundant styles after removing the placeholder
br so that the above check doesn't get affected by the placeholder.

editing/htmlediting.cpp:

(WebCore::areIdenticalElements): Moved from ApplyStyleCommand.
(WebCore::isNonTableCellHTMLBlockElement): Moved from markup.cpp.

Added tests for GET and POST methods for text/plain enctype.
Forms submitted using GET with a content-type of text/plain actually,
send data in URL encoded in the URL.
Forms with POST method and content-type of text/plain actually send data in text/plain.
Modified expected results for mailto tests as per the new behavior.

(WebKit::NetscapePlugin::geometryDidChange):
Implement NetscapePlugin::geometryDidChange and store the plug-in size,
the clip rect and the root view transform. Use the transform to compute the window
relative frame and clip rects.

WebProcess/Plugins/Netscape/NetscapePlugin.h:

Add new member variables.

WebProcess/Plugins/PluginView.cpp:

(WebKit::PluginView::viewGeometryDidChange):
Always call the new Plugin::geometryDidChange.

simplified definition from jit/JITStubs.cpp.
(FUNCTION_WRAPPER_WITH_RETURN_ADDRESS, getHostCallReturnValue):
Use the macro to access trampoline targets through the PLT on PIC
systems, instead of introducing a text relocation. Otherwise, the
library fails to link.

Calls the ewk_tile_unused_cache_auto_flush function after changing max
size of cache when ewk_tile_unused_cache_max_set is called. Without
this change when new value is lower than the old one the cache may use
more memory than max value set. This situation is not expected by the
user.

Restructure and movement of Lexer and Parser code.
Moved Lexer and Parser objects out of JSGlobalData.
Added a new ParserTokens class and instance to JSGlobalData that
have JavaScript token related definitions.
Replaced JSGlobalData arguments to Node classes with lineNumber,
as that was the only use of the JSGlobalData.
Combined JSParser and Parser classes into one class,
eliminating JSParser.h and .cpp.
Various supporting #include changes.

These mostly mechanical changes are done in preparation to
making the Lexer and Parser template classes.

Uncaught syntax errors in inline event handlers are now reported to
window.onerror handler.

Reviewed by Geoffrey Garen.

Tests: fast/events/window-onerror-exception-in-attr.html

fast/events/window-onerror-syntax-error-in-attr.html

bindings/js/JSLazyEventListener.cpp:

(WebCore::JSLazyEventListener::initializeJSFunction): report exception as usual
if it happens during event handler compilation.

LayoutTests:

Added a couple of window.onerror tests for the cases when uncaught exception
occurs in inline event handler. Test for non-syntax errors passed before this change
as well and just extends test coverage for window.onerror functionality.

LayoutTests: ​https://bugs.webkit.org/show_bug.cgi?id=70658
[JSC] Implement MessagePort transfer in JSC bindings implementation of webkitPostMessage.
Some 'FAIL's remain in expected test results. These are due to the fact that
JSC bindings chose not to throw type error exception for non-serializable values -
non-serializable values are serialized as null.

No new tests, since while I can see exactly where the DFG went wrong on the
site in question from looking at the generated machine code, and while I can
certainly believe that such a scenario would happen, I cannot visualize how
to make it happen reproducibly. It requires an odd combination of double
values getting spilled and then refilled, but then reboxed at just the right
time so that the spilled value is an unboxed double while the in-register
value is a boxed double.

This change just makes a bunch of our older tests use
more modern mocking to avoid trying to launch processes
or read from the user's filesystem during unittesting.

I found many of these by adding an assert in Executive.run_command
that we were not unittesting. I can't add that assert always
as there are some valid uses of Executive during unittesting.
Once I fix more of these, I may find a way to add such an assert conditionally.

Adding explicit FixedRect constructors to IntRect. Previously, FixedRect->IntRect went through FloatRect, which lost precision and caused overflow in some cases. Fixing some scrollbar paint issues on Mac.

Remove the StyleBase class and make all subclasses stand alone. CSSRule and StyleSheet
now inherit from RefCounted<T> instead, and XSLImportRule doesn't even need that,
so StyleBase is replaced by nothing.

StyleSheet now inherits directly from RefCounted and always has a parent CSSRule
though it can be null. parentStyleSheet() returns that rule's parent style sheet.
Moved the relevant guts from StyleBase down here.

loader/cache/CachedStyleSheetClient.h:

Remove unnecessary WTF_MAKE_FAST_ALLOCATED, we get it from CachedResourceClient.

Implement intrinsic sizing support for SVGImage (svg embedded through <html:img>/<svg:image>/background-image/border-image/...).
This is demanded by CSS 2.1, and covered by new layout tests in LayoutTests/css2.1 and several new custom testcases.

rendering/ImageBySizeCache.cpp: Cleanup code.
(WebCore::ImageBySizeCache::addClient): Assert the passed renderer is valid.
(WebCore::ImageBySizeCache::removeClient): Ditto. Allow removeClient() to be called w/o prio addClient() usage.
(WebCore::ImageBySizeCache::getImage): Add zoom parameter.
(WebCore::ImageBySizeCache::getRequestedSizeAndZoom): Add way to get requested size from cache, instead of actual cached sizes.
(WebCore::ImageBySizeCache::imageForSize): Respect empty sizes, just return 0, instead of asserting.
(WebCore::ImageBySizeCache::imageForRenderer): Added a helper that retrieves an image for a renderer, by lookup up its size and using imageForSize().

rendering/RenderBoxModelObject.cpp: Implement CSS 2.1 intrinsic size negotiation for images.
(WebCore::resolveWidthForRatio): New inline helper function used by calculateImageIntrinsicDimensions.
(WebCore::resolveHeightForRatio): Ditto.
(WebCore::resolveAgainstIntrinsicWidthOrHeightAndRatio): Ditto.
(WebCore::resolveAgainstIntrinsicRatio): Ditto.
(WebCore::RenderBoxModelObject::calculateImageIntrinsicDimensions): New helper function, containing the main algorithm, which is a pure transcription of the spec.
(WebCore::RenderBoxModelObject::calculateFillTileSize): Use new calculateImageIntrinsicDimensions() helper to figure out the intrinsic size.
(WebCore::RenderBoxModelObject::calculateBackgroundImageGeometry): Propagate calculateFillTileSize() result to the image resource, via setContainerSizeForRenderer().
(WebCore::RenderBoxModelObject::paintNinePieceImage): Use new calculateImageIntrinsicDimensions() helper to figure out the intrinsic size.

rendering/RenderImage.cpp:
(WebCore::RenderImage::RenderImage): Use IntSize(), instead of IntSize(0, 0).
(WebCore::RenderImage::updateIntrinsicSizeIfNeeded): Refactored from imageDimensionsChanged().
(WebCore::RenderImage::imageDimensionsChanged): Use updateIntrinsicSizeIfNeeded().
(WebCore::RenderImage::computeReplacedLogicalWidth): Use RenderReplaced::computeReplacedLogicalWidth() exclusively. For this to work, the intrinsic size must be correct.
(WebCore::RenderImage::computeIntrinsicRatioInformation): Default implementation for non-SVGImages.
(WebCore::RenderImage::needsPreferredWidthsRecalculation): Return true, just like RenderPart, if embeddedContentBox is not null.
(WebCore::RenderImage::embeddedContentBox): Returns the RenderSVGRoot* renderer of the embedded SVG, if possible.

rendering/RenderImageResourceStyleImage.cpp:
(WebCore::RenderImageResourceStyleImage::image): embeddedContentBox() is now calling image() earlier than before. We now have to handle the case that the image is pending.
(WebCore::RenderImageResourceStyleImage::setContainerSizeForRenderer): Pass zoom factor.

rendering/RenderReplaced.cpp:
(WebCore::RenderReplaced::computeIntrinsicLogicalWidth): Generalized this code, as RenderImage is using it as well now. Marginal changes needed.
(WebCore::RenderReplaced::computeIntrinsicLogicalHeight): Ditto.
(WebCore::RenderReplaced::computeReplacedLogicalWidth): Ditto.

svg/graphics/SVGImage.cpp:
(WebCore::SVGImageChromeClient::isSVGImageChromeClient): Return true, used to identify whether RenderSVGRoot is embedded through SVGImage.
(WebCore::SVGImage::createWithDataAndSize): Add new helper function.
(WebCore::SVGImage::setContainerZoom): Forwarded to Page::setPageZoomFactor.
(WebCore::SVGImage::setContainerSize): Assert that container size is not empty. We should never receive an empty container size.
(WebCore::SVGImage::usesContainerSize): Adapt to override container size changes, it now lives in RenderSVGRoot instead of SVGSVGElement.
(WebCore::SVGImage::size): New algorithm to figure out the size of an embedded SVG, as demanded by the CSS/SVG specs.
(WebCore::SVGImage::embeddedContentBox): Add helper which returns the RenderSVGRoot of the document.
(WebCore::SVGImage::computeIntrinsicDimensions): Implement intrinsic ratio calculation.
(WebCore::SVGImage::dataChanged): Force calling FrameView::setCanHaveScrollbars(false), as SVG images now always synthesize a viewBox, and thus never receive scrollbars.

Change QWebPreferences to keep a pointer to QtWebPageProxy. The reason is that
some features we want to control (like the messaging exchange between WebView and
the web process) are not available via WKPreferencesRef.

QtWebPageProxy now uses an OwnPtr to keep the QWebPreferences to clarify the
ownership relationship. Before this change the QWebPreferences created was leaking.

WebKit style is to use the implicit Boolean conversions rather than
calling get() on these pointer types. This patch cleans up most (all?)
of these style issues in the Chromium port in the hopes that they'll be
copy/pasted less in the future.

Paint the WebView into a backing store. This prevents expose events from
triggering a layout, making scrolling and resizing much smoother.

WebCoreSupport/ChromeClientGtk.cpp:

(WebKit::ChromeClient::ChromeClient): Initialize new members.
(WebKit::repaintEverythingSoonTimeout): Added this helper which repaints
the WebView more quickly during resize events.
(WebKit::clipOutOldWidgetArea): Clips out the old widget area, so that we
can clear out invalid pixels when growing the widget into a pre-existing
backing store.
(WebKit::clearEverywhereInBackingStore): Clear out the entire backing store.
(WebKit::ChromeClient::widgetSizeChanged): Handle widget size changes by
intelligently resizing or reusing the existing backing store.
(WebKit::coalesceRectsIfPossible): Moved this method from webkitwebview.cpp.
(WebKit::paintWebView): Moved this method from webkitwebview.cpp.
(WebKit::ChromeClient::performAllPendingScrolls): If there are any pending
scrolling operations, perform them by scrolling the backing store.
(WebKit::ChromeClient::paint): Added this timer callback, which paints the
WebView after a short timeout.
(WebKit::ChromeClient::invalidateWindow): No need to do anything here any longer.
(WebKit::ChromeClient::invalidateContentsAndWindow): Now unite the rect with
the existing dirty region and queue the paint timeout.
(WebKit::ChromeClient::scroll): Now just queue a scroll event in the repaint timeout.
Intelligently calculate the area to move and the dirty area using code derived
from WebKit2.

WebCoreSupport/ChromeClientGtk.h: Added new method definitions and also use

the WebCore namespace to avoid lots of uses of "WebCore::".

webkit/webkitwebview.cpp:

(webkit_web_view_draw): Now just blit the backing store into the widget.
(webkit_web_view_expose): Ditto.
(webkit_web_view_size_allocate): Let the ChromeClient know the widget size changed.
(webkit_web_view_init): Turn off GDK double buffering as we have our own double
buffer.

Unreviewed. I would have preferred to have this reviewed,
but relevant reviewers are asleep and bots are broken.

This was a regression from moving to a clean environment.
ChromiumWin (and possibly other ports), need the "PATH"
environment copied over. This wasn't caught in my testing
because although we had unittests to cover this, they
weren't being run on anything but windows. The vast majority
of this change is just fixing the unittests to use our
modern MockFileSystem/MockUser/MockExecutive so they can
be run on any system (and removing the platform checks from
the unittests so they are run everywhere).

The actual fix is the single line "PATH" string added to base.py.
The rest of this change is just fixing the Chromium port unittests
to run on all systems (including changing the Chromium port to
use FileSystem.path_to_module instead of file).